A new HR system is going to generate e-mails to every employee in the company. To accomplish this, about 200 people needed to have accounts created for them. To make administration easier, all 200 new accounts were added to a single AD Group, "Limited Use Employees".
Using Active Directory for Users and Computers (ADUC), you can query for individual names, groups, and even resources on the network, like computers, printers, etc.. If you have 200 people you are attempting modify, you can modify each one individually (ouch!!), you can modify the container they reside on (not bad, especially if you use a GPO), or you can a mass modify solution, like scripting or LDIFDE. LDIFDE work best if you have some field that ties them all together (same department, same company field, etc), but not so well if you don't. Scripting works great, but does require a bit of coding experience. Read file, find account, modify value, save user, repeat.
We wanted something simpler. ADUC has a built-in query function to allow you to build 'Saved Queries'. This option has a number of basic wizards that allow you to build various queries to search your AD environment. For example, finding all mail-enabled groups that don't have managers.
- NEW -> Query
- Give it a detailed name
- Click Define Query
- In the FIND dropdown, select Exchange Recipients
- Deselect all but Mail-enabled groups
- Select Advanced tab
- Field - Group - Managed By and the Condition = Not Present, Click Add
- Field - Group - Members and the Condition = Present, Click Add
- Click OK twice to save
- Click Refresh (F5) to get the latest information.
As I stated, we added all 200 employees to the same distribution list. This means if we could create a query to return all the members of a specific distribution group. I found only one way to get this query to work. You need to create the query so it points directly to the distinguishedname(DN) of your group. The DN can be found by searching ADSI Edit or you can build it by hand.
To build the DN by hand you need the value that's in the Canonical Name of Object field. This can be found on the Object tab in ADUC. It should look something like:
corp.ent/Groups/Limited Use
(Domain)/OU1/../OUn/Group Name
(where ... equals any number of sub-OU containers.)
The DistinguishedName simply reverses the information and describes each portion. So for my example, the distinguished name would be (NOTE: The '\' before the group name is required):
cn=\Limited Use,ou=Groups,dc=corp,dc=ent
So, for the Advanced Filter, I put:
Member Of is (exactly) cn=\Limited Use,ou=Groups,dc=corp,dc=ent
Unfortunately after all this, I found out that you cannot modify Exchange Mailbox properties, like Delivery Restrictions, using this method. So I guess, we are back to the other options, individually (probably safer) or using a script.
